Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fwd: Information on MS99-022
From: deraison () CVS NESSUS ORG (Renaud Deraison)
Date: Mon, 5 Jul 1999 13:37:24 +0200

On Mon, 5 Jul 1999, Darren Reed wrote:

But as somone else pointed out in this very same list, it's not always
possible to determine whether there is a problem or not in another way
than actually testing the flaw (intusion tests are an exemple)

So everyone who has IIS4.0 should test the for the flaw first before
installing the patch?  I don't think that's the right methodology.
When I apply patches, security or otherwise, I don't necessarily want
to test the problem first and nor should I need to.

You don't need to, because you know you have not applied the patch yet, so
you know that you are vulnerable. Now, suppose that in two months you are
given the administration of 20 IIS servers in asia, each located in
separate office. Will you spend your day going from one office to another,
just checking for this flaw ?

I should get all
the information I need to correctly apply the patch with the patch

than running intrusion tests.  Those tests should be the mechanism by
which you go from a state of having a collection of hosts about which
you know nothing about to a state where you know what needs to be done
(if anything) in order to minimise the risk of an intrusion and from
there can implement a plan of action that keeps them in a state of
minimal risk.

I agree at 100%. If you probe these hosts and if no security flaw is
reported at all, whereas some flaws are reported on other servers, then
you'll first upgrade those servers, right ? Not the one reported as
'safe'. however, those 'safe' hosts may have the IIS security flaw which
may be more important than the flaws on the other hosts.

but the domain microsoft.com has been number one in terms of download and
site frequentation at nessus.org :) During a time,  they were downloading

You're assuming that suck access is in-line with a policy of "do not use
the internet for non-work related things", which I'm sure is enforced the
same everywhere :)
I know of people who work at Microsoft who do so only as their `day job'.

Yeah. This was just a funny thing I noted. Not directly related to this
suject (I didn't meant : 'they should have given me the info since they
are using my tool'  --- just because there are too many employees)

Or maybe what they saw in Nessus was enough to persuade them that going
to ICSA was the right thing to do?

What did they saw according to you ?

Now you're catching on.  Security is a market of some value, today, not
like it was back in the early 90's when things like FWTK/Satan were written
and given away.

I disagree with that too. I'm not the only weirdo on this planet who is
giving away security tools. Just think about Nmap, Trinux, SAINT, ipchains
and many more.

I give one away too, in case you weren't aware of that.  But I'm not
arguing that there isn't any free security software or new projects
don't happen, just that there is an increased value on such knowledge
(of bugs and processes) today and hence less incentive to give such
knowledge away.

and this is a shame anyway. As I wrote, making some benefit of the bugs
they make is not normal.
I think that I'll write a mail server of my own, don't release the source,
include 30 security holes, and start to sell them one after the other.
Sounds like a good get-rich-quick scheme, doesn't it ?

I'd like to point out that your list does not mention any free knowledge
bases or data wharehouses which contain information on security

This will be corrected as soon as I find the time to take care of it,
but this is beyond the scope of the project.

                                -- Renaud

Renaud Deraison <deraison () cvs nessus org>
The Nessus Project -- http://www.nessus.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]